How do certificates work with digital signatures and encryption?

In the previous section, we looked at a scenario where Simran was sending encrypted and digitally signed data to Brian. During the process, we saw how Simran and Brian used each other's private and public keys. A public key has to be shared between two parties. Now, the problem we have is to work out how exactly the system knows that Brian's public key is his, and not from someone that is pretending to be Brian? In order to overcome this challenge, we can use certificates to verify whether shared public keys are from their purported source. Let's introduce certificates to the previous example and see how things would work.

The digital signature process works as follows:

• Simran's private key will be used to encrypt the message digest. This private key will be retrieved from Simran's digital certificate. The private key verifies that the certificate is issued from a valid authority and that it's authentic.
• Simran's public key is also attached to the message, as it can be used by Brian to verify the signature. This will be available to Brain via Simran's digital signature.

The data encryption process works as follows:

• A one-time symmetric key is used to encrypt the whole message, and after that, the key itself will be encrypted using Brian's public key. This public key will be retrieved using Brian's digital certificate, as it confirms that it is from Brian. It is certified by a CA that Simran also trusts.

During the certificate validation process, the system will verify the certificates using the CA's public key as it will confirm the authenticity of the CA. It also checks the validity period of the certificates using the Valid to value in the certificate.

The data decryption process works as follows:

• The first step is to decrypt the one-time symmetric key using Brian's private key. This symmetric key will be retrieved using Brian's digital certificate. Once the key is retrieved, the key will be decrypted, and it will be used to decrypt the entire message.

The signature verification process works as follows:

• The message digest (hash) is encrypted using Simran's private key. It can be decrypted using Simran's public key. This public key can be retrieved from Simran's digital certificate. This certificate is issued by a CA that is trusted by Brian.

The rest of the steps are exactly the same as I explained in the Signing, encryption, and decryption section.